Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How do I prevent a former employee sending email that looks like it’s from my company’s domain?

Question:

How do I stop Hotmail from sending third-party emails? An ex-employee set up
his Hotmail account to send from his corporate email address. How can I prevent
him from sending from that email address through his Hotmail account?

In this excerpt from
Answercast #71
, I look at ways a former employee could be sending email that
looks like it is from the company domain.

Become a Patron of Ask Leo! and go ad-free!

Former employee’s email

Well, to begin with, I’m not aware of Hotmail actually being able to
truly send from an account that is not Hotmail. In other words, I
believe you cannot configure Hotmail.com to send as say Ask-Leo.com.

Now, that being said, maybe someday they will. You can absolutely do that
with Gmail. With Gmail, you can set it up to send mail as if it were from a
different domain.

Spoofing the “From” field

Now, there are two very important different ways of doing this. One, in a
case as you describe, you have control over – and one that you do not.

The first is when the email service does this independently of your email
server.

In other words, you’ve got Foo.com, you own the mailer for Foo.com, you
control all the mail for Foo.com, and yet your rogue employee has configured his
Gmail account to send as if it were from Foo.com.

There’s nothing really you can do about that. Ultimately, what that
employee has done is “from” spoofing.” It’s the same “from spoofing” or very
similar to the “from spoofing” that spammers use all the time.

It is very, very easy to fake the “from” address.

It may not be obvious in the headers, but in the headers, you can
in fact find out that, “Oh yea, this wasn’t really from so-and-so. It came from
this other server in China,” or wherever. But the point being, though, that to
the naked eye, to the recipient of that message, it still looks like it came
from Foo.com – even though it never touched a Foo.com server.

So that’s the one you don’t have control over. I really don’t know a way of
solving that. It would be very easy for me to configure a desktop email program
to send all of my email as if it were coming from Foo.com even though I don’t
own Foo.com and I have nothing to do with Foo.com.

Sending through a server

The other scenario (and the reason I bring this scenario up is, I believe,
this may be possible with Hotmail) is that you may be able to instruct
Hotmail to send using your server.

In other words, when Hotmail goes to send a piece of mail, instead of
sending it itself, it sends through your server. I know this is
possible in Gmail. What it means is that email honest to goodness, really is
coming from your server.

So, for example, I configure the mail program in Gmail (I’ll use that since
I know it works). You configure Gmail to send from Foo.com, through
the Foo.com server. When the recipient gets it, it looks like that email came
from Foo.com – because it did!

That one’s easy to fix. Disable the account.

In other words, whomever this rogue employee is that’s doing this – make
sure that their account is incapable of sending email on your server. Make sure
that the account is disabled.

One of the things you might want to do is make sure that the account can
still receive email so that, perhaps, you can keep track of what this
person is doing, in case people reply to him.

Manage your server

The important thing is you want to make sure that that employee cannot send
email through your server. Through the Foo.com server.

That means: whoever is administering your email needs to know how to do
that. They need to know how to turn off the ability to send for that email
account. If they can’t do that, without also disabling the ability to receive,
you know that’s probably worth it. Disable the account completely. Remove the
account completely – whatever it takes to stop that employee from being able to
send email through your server.

But like I said, the bottom line is that what we’re really talking about
here is “from spoofing” and Lord knows if the spammers can do it very
trivially, so can your employees.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

2 comments on “How do I prevent a former employee sending email that looks like it’s from my company’s domain?”

  1. You probably also want to send the former employee a registered letter explaining that you have found out they are sending out their email with your company’s address and that they should end the practice.

    If you parted ways on good terms, they will probably say oops and fix things.

    If you parted on bad terms, you might want to have a lawyer discuss additional wording that this use would be considered fraud and that they are liable for any damages to you or your company due to this fraud.

    Reply
  2. Years ago, when people would tell me that it was “impossible” (or, at least, “almost impossible”) to spoof the “from”, I would demonstrate otherwise. A few minutes later, they would get an e-mail “from” the President of the United States, explaining that such spoofing was quite easy to do.

    Many years ago at a certain large software company I’ll admit to originating some internal mail that came “From: Santa.Claus@northpole.com“. Smile

    Leo
    21-Nov-2012
    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.